1. Field of the Invention
The present invention relates to the field of multi-level secure operating environments. Specifically, an embodiment of the present invention relates to a method and a system for diagnosing data transport failures in a multi-level secure operating environment.
2. Related Art
Over the past few decades, computer systems have become corporate-wide resources, essential for day-to-day operations. A wide range of information on new products, engineering data, employee compensation, health records, marketing and sales plans, and other sensitive data is often stored on these systems. Considerable cost, damage, and loss can be caused by hostile or unauthorized access and use of this sensitive information.
In order to control external access, firewalls and other systems are often used as gatekeepers. One method available for providing extensive internal protection against intruders and misuse is the multi-level secure operating environment. This environment allows system administrators to limit access to system and data resources by setting controls on all potential interactions with programs, file access, and utilities on a user-by-user basis.
Since information can have many levels of sensitivity, it is assigned a classification based on its sensitivity level. Within the multi-level secure operating environment, there exist controls that track information, which is assigned a classification to assure that the information, reaches only those destinations that are cleared for the same classification. There are various access controls used throughout the population of multi-level secure operating environments. One example of a multi-level secure operating environment control is a label-based access control that is automatically enforced by the system. In the case of label-based access controls, each data packet contains a label carrying information about the classification of the data in the packet and also the credentials or privileges of the process that generated the data.
There are some locations, e.g., users, within a distributed environment that have clearance to see information with a particular classification and some that are not. This is dependent upon the level of trust that has been assigned by a system administrator to each location within the environment. Therefore, there are instances in which a data packet never reaches its destination, not because of a hardware connectivity problem, but due to a security requirement that the data carries and for which the destination is not cleared. In a case of such a data transport failure, there is no “error” and, therefore, no error message generated. The system is not allowed to return a message regarding the data sensitivity issue that halted the data transport because such a message in itself constitutes sensitive information (e.g., a lower classified level can send information to a higher level, but cannot receive information back from the higher classified level). This creates a very difficult problem for the system administrator to diagnose. The troubleshooting paths, which a system administrator typically follows, will reveal no problem if the issue is not one of connectivity. Therefore there is no apparent way to determine what went wrong with the data packet.